There’s this bank app I have hate. Every time I attempt to log in, I am required to enter an OTP sent to my phone number. As if that’s not crazy enough, the app logs out immediately you minimise it, like if I need to quickly copy an account number outside the app. And when I’m ready to make a money transfer, it demands both a transfer PIN and another OTP sent to my phone. 

Sounds secure? Yes, if you’re trying to secure the fortune of the Saudis.

I always say to myself, “It’s not this serious”. But maybe it’s that serious. If you’ve ever lost $$$ to a phishing scam, you’ll know how deep your pocket is.

But between ensuring security and avoiding annoying user experience, where do you draw the line? Where does the other guy draw it? And where do I draw the line? 

For the sake of clarity, let me define the terms. 

Security in this context = the initiatives of a product to secure its users and their data e.g. password, pin, 2FA, TOTP, e.t.c

User experience in this context = how convenient it is for a user to use a product. Like, how less annoying the product is. 

Back to the topic…

I would argue that this bank app I have hate is overdoing the security, which has tripped over to bad user experience and ended up seeming impractical. Still, I might disagree with myself because it’s not easy to make money and lose it. 

Weirdly, drawing the line between good security and good user experience is not the issue. It’s more like the line is so tiny that if we’re not careful, we don’t even know when we cross it.

Nevertheless, let’s explore the subject from both sides of the equation. 

Why products may give more room for security…

1. Protecting Users:

It's important to protect the user; it’s a duty. And it’s even more important to understand that not all users are smart enough to protect themselves effectively, which leads to mandatory security requests. 

2. Reputation Management:

Imagine you own a financial product, and some dude is dragging your company on Twitter because, apparently, the money in his account disappeared into thin air overnight. 

He claims no one had access to his account and that your product stole his balance. 

He’s not playing, and he’s ready to give your business a few weeks of bad press on top of this matter. Unfortunately for you, it’s 2024, and the motto for the year is “no gree for anybody”. 

Apparently, his cunning brother knew his password; he also knew his PIN. The brother needed some quick bucks to impress his new instagram chick. So he pulled a fast one on him. But he (the Twitter dude) doesn’t know that. To him, your product robbed him. 

You would ask yourself, “to protect our reputation against situations like this, maybe we should mandate facial verification to process transfers?”. 

3. Lessons from Past Incidents:

…or in the case of a popular B2B payment provider in Nigeria where some hackers got hold of the API keys of businesses and wired money out of several businesses using the API. How did it happen? Who knows. But it did happen. 

Now, every B2B payment provider in Nigeria took that as a lesson and mandated IP whitelisting to access API. That solves the problem quite alright, although another problem is introduced for businesses with dynamic IPs. But once bitten, twice shy. 

4. Target Audience:

I’d say certain products, especially those targeting crypto enthusiasts or older generations, require more serious security padlocks as they’re more vulnerable. In such cases, going rambo on security could be a foundational principle. 

The short story of El Carlos…

There’s this my guy called El Carlos, he owns a nightclub in Mexico, and he got tired of people coming into the club with weapons. They would disrupt his business, threaten people, get drunk and refuse to pay. He realised the major problem was that people were able to come in with weapons. 

So, he instructed the bouncers to search everyone at the entrance. In order for them to do that effectively, people had to pull their shoes, pull their socks, remove their belts, remove their caps, empty out their bags and allow a pat-down search before they were cleared to enter. 

This worked, and it put an end to the nonsense he was facing because those with weapons were denied entry - that’s what we mean by going Rambo with security to protect your product and its users. 

On the flipside, some products may give more room for user experience… 

1. Ease Of Use:

At its core, software exists to serve users and make their lives easier, which is why having to enter an OTP every time I need to log in can be annoying. 

Some products prioritise user experience because they understand that a seamless, intuitive, and enjoyable user experience can lead to higher user satisfaction and positive referrals.

2. Competitive Disadvantage:

We can also look at it from a competitive perspective. If your competitors make 2FA optional for users, having to mandate it for your product is already a competitive disadvantage. Because, in as much as you’re trying to keep the users safe, you might lose customers who value convenience over security. 

3. Target Audience:

Products targeted at Gen Zs also sometimes choose to take it easy with annoying mandatory security procedures. Because more than an average number of the audience is internet-smart enough to protect themselves, and it’s a very volatile audience, they zoom off at the sight of slight inconvenience. Non-finance products may also choose to favour user experience over security because there isn’t much to padlock. 

Back to the story of El Carlos…

Now, back to my guy, El Carlos, the owner of that club in Mexico. Having people strip their outfits and empty out their bags before gaining entrance to your club is not necessarily a good customer experience and can be a big turnoff for legitimate users. Because I won’t totally feel comfortable doing that, and I can just decide to go to another club. 

Striking a balance…

Finding the right balance between security and user experience depends on the product, its audience and also the business decisions. 

But talking of smartly striking a balance, let me give a quick breakdown of how KuCoin and Binance handle security in relation to sending out funds. 

On binance, when you have 2FA active, every time you want to send out funds, you’re expected to provide the 2FA along with a code sent to your email, even if the crypto address you’re sending to is on your whitelist. 

Note: A whitelisted crypto address is like a pre-added beneficiary. And to whitelist an address, you have to provide TOTP and a code sent to your email - which relatively means your whitelisted addresses are trusted. 

On KuCoin, same scenario. But once you whitelist an address, you’re only required to provide your PIN to send out to such an address. However, for transactions with high amounts, some extra checks may come in before it is processed. 

Binance is a good example of going Rambo with security, while KuCoin has found a smart way to strike a balance. There’s a better user experience with withdrawing on KuCoin, but I wouldn’t say it is less secure than binance, as it doesn’t protect the user less. 

If I could advise El Carlos…

I would say he should simplify the security search at the entrance.

He can get a smart scanner that makes the search easier. This means people won’t have to strip naked before entering the club.

That way, we can conclude that there’s an even blend between security and user customer experience. 

But I can’t advise El Carlos, because El Carlos doesn’t exist, and I don’t know anyone from Mexico 🤣